output database: [log | alert], [parameter list]
[log | alert]
REQUIRED. Specify to use the
output facilities to store events in the database.
Note: Certain events generated by pre-processors (e.g. those created
by spade and portscan) will only log correctly if the
facility is used.
It is redundant and unnecessary to have an two instances, one an
alert and the other
log, of the
output plugin logging to the same database. This configuration will cause
two events to be logged in the database for every one detected by snort.
[type of database]
REQUIRED. The type database used to log the events. The
possible values are
mysql, postgresql, odbc, mssql, and oracle.
The parameter list consists of key value pairs (See Table 4).
The syntax of the parameter list is a series of
pairs each separated by a space.
The only parameter that is absolutely necessary is
All other parameters are optional but may be necessary
depending on the RDBMS configuration.
Table 4: Snort database output plugin arguments
|dbname||name of the logging database|
|host||host on which the database is stored|
|port||port number on which the database server is listening|
|user||username with which to login into the database|
|password||password of the specified user|
|sensor_name||specifies a custom name (a human readable name) for this sensor.
If a name is not specified, one is automatically generated using
a combination of the sensor's IP address and the interface that
that is being monitored.
In configurations where two instances of Snort are monitoring the
same interface and logging to the same database, this variable
in required and different
|encoding||specified that packet and option payload encoding format
Note: Binary data should be stored as a blob, but these are not portable across databases.
|detail||specifies the level of detail to log for every alert
|ignore_bpf||(Snort v1.9 only) Do we want to create a new sensor definition everytime
the BPF filter is changed?
output database: log, mysql, dbname=snort user=foo host=localhost password=xyz This example will log events to a "mysql" database named "snort" running on "localhost" using the "foo" user with a password of "xyz"